Last month NSS Labs
, an independent security research and testing organization, released its Browser Security Comparative Analysis
that shows Internet Explorer 10 blocks more socially-engineered malware than any other browser on Windows with its SmartScreen
and Application Reputation technologies. But SmartScreen and Application Reputation are only one piece of how Internet Explorer 10 protects Windows customers. Internet Explorer 10 includes significant advancements in security to help keep you safer as you browse the Internet. Backed by third-party evidence, Internet Explorer 10 not only blocks over 99% of malware
, but also has fewer software vulnerabilities
than other browsers on Windows.
To get this level of protection, IE10 follows multiple security strategies
to better protect people on the Web, including:
Protection from socially-engineered attacks
By imitating or compromising trusted web sites, malware authors try to trick users into sharing personal information or downloading and executing malicious software. To help protect users from these socially-engineered attacks, Microsoft uses a combination of URL filtering and application reputation. SmartScreen URL filtering and Application Reputation provide the best protection available against malware attacks.
Protection from attacks on web sites
Even “good” web sites can sometimes have security vulnerabilities that can allow malicious sites to steal your data or perform actions as if they were you. Internet Explorer helps protect you with the XSS Filter, which automatically prevents certain types of attacks and makes it easier for Web sites to secure themselves with Declarative Security features, like IE10’s support for the HTML5 Sandbox.
Protection against attacks on the browser or operating system
Automatic updating ensures that you have the latest updates installed. This protects you against security issues that have already been fixed. Internet Explorer 9 added significant memory protection features to make it harder to exploit certain types of vulnerabilities, which were enhanced in IE10. We also added a new layer of protection in IE10 called Enhanced Protected Mode.
How secure is Internet Explorer 10? There are various ways of measuring this, but one widely-accepted way is to assess how well browsers perform against real-world attacks. We can also look at the number of software vulnerabilities, as a measure of engineering quality. Let’s look at each briefly. Real-World Attacks
Last month’s report on socially-engineered malware
by NSS Labs used over 96,000 test cases involving live malware across a 28-day period. It showed that Internet Explorer blocks more real-world attacks than other browsers. This is not surprising, as Microsoft originally released SmartScreen five years ago
and continues to evolve protections like Application Reputation
This chart shows that Chrome, Firefox, and Safari all use Google’s Safe Browsing API to block malicious URLs at about a 10% success rate. Most of Chrome’s protection comes after users have downloaded malicious software, in the form of a warning. By comparison, Internet Explorer 10’s SmartScreen URL filtering alone blocks as much as Chrome—and when Application Reputation is added, IE10 blocked over 99% of malware. For a user, this is very important. It’s safer to block malware before
it’s downloaded versus warning someone after the fact.
Put differently, only four pieces of malware out of a thousand bypassed Internet Explorer’s protections. For Chrome, about two out of ten attacks would have relied on other protection like antivirus software. For Firefox and Safari, nine out of a ten attacks would need to be stopped elsewhere. This is a great example of why the security principle of "defense in depth" is important. Every system has multiple layers of security—but how much do you trust the other layers to catch what your browser might miss? Quality of Engineering
The Microsoft Secure Development Lifecycle
(SDL) is a software development process that helps developers build more secure software and address security compliance requirements, while reducing development cost. Internet Explorer—like other Microsoft products—is developed using SDL best practices to decrease security vulnerabilities. How does Internet Explorer fare, when looking at the quality of security engineering? Analyst reports like the Secunia Vulnerability Review 2013
and Symantec’s 2013 Internet Security Threat Report
show that Internet Explorer has far fewer security vulnerabilities than the competition. Software Vulnerabilities, according to the Secunia Vulnerability Review 2013
These results agree with the US NIST National Vulnerability Database
, which tracks all software vulnerabilities. Of course not all these vulnerabilities may be prone to attack, but this is a good proof point for the success of the Secure Development Lifecycle process and the high quality of Internet Explorer engineering in protecting people from vulnerabilities. Safer Browsing
Your browser is the first line of defense in keeping you safe on the Web. Internet Explorer 10 was designed with security in mind, and third-party reports like those from NSS Labs and Secunia show that IE10 provides industry-leading security for Windows customers. If you’re looking for a web experience that is fast, fluid and safer, try Internet Explorer 10 for Windows.
Senior Product Marketing Manager, Internet Explorer